4/11

@PrincetonCITP

“Trusting Human

Safety to

Software:

What Could

Possibly Go

Wrong?”

How the Tubes are

Strangling Their Owners

Internet a series of tubes

Industrial control systems connected

to the internet: icsmap.shodan.io

Tubes provide our software updates.

What could possibly go wrong?

Patch Tuesday biggest Internet event, especially for sysadmins:

• “In a relatively light September 2014 Patch Tuesday release,

“Microsoft addressed 42 vulnerabilities across four bulletins.

• “The majority (37) repair issues in Internet Explorer (IE),

• “8th month in a row the Web browser has required patching.

• “Over the past three months, Microsoft has issued updates for

more than 100 vulnerabilities in IE”

Xkcd 1328

Microsoft trying hard to restore trust

in intermediaries…

But I will discuss more consumer

issues: who controls your download?

What’s worse than a free U2 album?

No, it’s not two free albums….

It’s….

Who decides what you get?

• Terms and conditions of e-commerce providers

• Intermediary terms

• Internet Service Providers’ Terms of Use

• Note many ISPs scan email and web for spam and malware

• Billions of spam emails removed every day

• You give them permission in your Terms of Use

• That provided a backdoor to breach net neutrality in mid-2000s

• “Not throttling but security scanning…”

More here….

UK Consumer Rights Bill 2014:

updates Sale of Goods Act 1979

Helpful Q&A section: case study

Consumer buys an e-book…which does not download properly…

“She also checks with her ISP that

there were no interruptions

during the time of the download."

Who double checks that?

The consumer must prove that….

“the digital content was not of satisfactory quality

and

the problem was not due to their internet connection or hardware.

“The trader would then have to provide the consumer with redress

regardless of whether they had provided the related service with

reasonable care and skill.”

See any problem with the government case study proof?

It's a net neutrality law!

How will ISP satisfy proof of an uninterrupted service

if it does any filtering or throttling at all?

• ”Has #UKgov thought about #netneutrality implications of

#prosumerlaw refunds for 'faulty' (jittery) downloads?”

225 page consultation document shows no hits for net neutrality

• http://discuss.bis.gov.uk/consumer-bill-of-

rights/ministers-introduction/

Many players: author, distributor,

consumer, 3rd parties

Codes of

Conduct all over

the place for

ISPs, for

retailers, for

consumers

My co-author Ian Brown suggests

monitoring by e-commerce providers

“I suspect this law would encourage interactive content suppliers

to develop software for the user's device

• that would monitor media playout and connection quality

Supplier can reject claims resulting from hardware/ISP problems”

Test hardware & connection speed

before agreeing to supply content

Result: overt monitoring of your

device/connection by every app

Sounds familiar?

There’s an app for that...

BBC iPlayer already monitors

connections on the fly

BBC Internet Blog 2012: Android Update

http://www.bbc.co.uk/blogs/legacy/bbcinternet/2012/02/bbc_iplayer

_android_update.html

“Some people have asked why the BBC iPlayer Android app asks

for permission to access your phone's Network communication,

Phone calls and System tools.

“These are standard Android app permissions that are defined by

the Google Android platform.”

The 3 permissions the BBC iPlayer

Android app asks to use

1. Network Communication - full internet access.

provides iPlayer access to the internet so it can play programmes.

2. Phone Calls - read phone state and identity.

provides iPlayer with phone communication status and notifies the

application if the phone rings or a phone call is in progress.

• iPlayer app pauses if you receive a phone call while watching.

• iPlayer app does not access or store any personal information,

phone numbers or IMEI numbers.

3. System tools – prevents sleeping, retrieve running applications.

• iPlayer ability to prevent phone going to sleep when watching

BBC monitoring iPlayer performance

to regulate ISP throttling

Vaizey says no to net neutrality, BBC looks to iPlayer traffic light system

• November 18, 2010 http://www.digitaltveurope.net/1931/vaizey-says-no-to-net-

neutrality-bbc-looks-to-iplayer-traffic-light-system/

“UK ISPs should not be bound by so-called network neutrality

commitments, according to communications minister Ed Vaizey”

BBC response – name and shame ISPs who throttle

Why else might

BBC monitor?

iPlayer provides early access to

two shows in great demand

[1] UK Top Gear

[2] Dr Who

Millions of ‘petrolheads’ and scifi fans use VPN proxies

Costs UK tax payer (=licence fee payer)?

• http://www.theninjaproxy.org/ninja/how-to-watch-bbc-iplayer-on-

your-ipad-from-outside-the-uk/

Similar issues with net neutrality

forensics in US

• Neubot: http://www.neubot.org/2014/10/15/neubot-update-

2014-q3

• Measurement Lab: http://www.measurementlab.net/

• SamKnows for FCC: http://www.fcc.gov/reports/measuring-

broadband-america-2014#Figure2

• Mobile data? http://www.fcc.gov/reports/measuring-broadband-

america-2014#Launch

• uCap talk next week @CITP

• https://citp.princeton.edu/event/chetty/

Conclusion: Computer says no…

government in denial on CRB

Final thought: problems both ways –

providing higher service quality

If ISPs throttle,

that might become a cause of action under

Consumer Rights Bill –

though government claims no impact

But if ISPs develop ‘specialised

services’ and still fail to deliver?

Would NexFlix, YouTube or Facebook have contractual cause?

• SS are not flawless – many B2B disputes over network outages

Difference here is the consumer’s involvement

• Especially if that consumer has no financial damages except

time and effort –

• for Wikipedia or BBC content, for instance?

In both US/Europe, outside consumer/communications law?

What’s worse than a free U2 album?

One that doesn’t play back?